Welcome to our final installment in the "Data Privacy for the Non-Technical Person" series. In case you missed the other two blogs in this series, here are the links to part one and part two. This third and final blog will cover data privacy compliance regulations and how an organization would begin to develop a security policy.
We hope that these blogs have been informative and answered questions that you might have had about data privacy. If you still have questions, please feel free to send us an email. Additionally, download our podcast "Data Privacy for the Non-Technical Person" to hear my conversation with Patrick Townsend, Founder & CTO, in its entirety.
Are there are any laws or regulations requiring businesses to protect their sensitive data?
Yes. There are quite a number of laws, and they cross over each other too. Many find themselves having to work with several regulations when protecting data. If you take credit cards, you fall under the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a private regulation promoted by the card brands (Visa, MasterCard, etc.). If you are a bank or engaged in the banking industry you fall under the Gramm-Leach-Bliley Act (GLBA) and FFIEC regulations for protecting information. Those are specific to the banking industry. If you go to the doctor or are a doctor/medical clinic or any place in the medical industry, you fall under the HIPAA/HITECH Act to protect patient’s medical information. There are also other regulations too. The government is moving laws through congress to define protections for PII. So there are a number of regulations affecting data that needs to be protected.
So how would an organization begin to develop a security policy?
This is a real challenge, particularly if you are starting for the first time. It can seem overwhelming, especially when we read about the sophistication of data breaches and the attacks on companies. Keep it simple to start – there are things that you can do to that are very effective upfront and know that you are vulnerable. I think one think that sometimes inhibits people from taking action is thinking that they are not going to be subject to a data breach. That is a dangerous attitude. So, keeping it simple, taking simple steps, ranking where the vulnerabilities are and doing those things first are really important things. There are really the obvious things like making sure you have good anti-virus software running on your computers and using good, strong passwords. If you have a web site, there are scanning tools that will help you scan to see if your web site is secure. And if your business is handling sensitive data, run background checks as part of your new employment procedures. Finally, there is some online help that can be really useful for most people – sans.org is a place where you can go to get basic policy information and educated on threats. For business that need to secure data, we have a lot of resources on our website to help you understand the various regulations and what encryption and key management tools you can use to begin protecting your data.
Download our podcast “Data Privacy for the Non-Technical Person” to hear more of this conversation.